Description
In the Linux kernel, the following vulnerability has been resolved:

cifs: some missing initializations on replay

In several places in the code, we have a label to signify
the start of the code where a request can be replayed if
necessary. However, some of these places were missing the
necessary reinitializations of certain local variables
before replay.

This change makes sure that these variables get initialized
after the label.
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the CIFS driver of the Linux kernel and involves missing reinitialization of local variables after a replay label. The flaw could cause the kernel to operate on undefined data, potentially leading to a crash or a denial‑of‑service condition. The issue is characterized by CWE‑908 (Improper Initialization) and CWE‑909 (Improper Initialization of Dynamic Objects) weaknesses; it does not explicitly provide a path for privilege escalation or data exfiltration.

Affected Systems

Any Linux kernel build that does not include the commits starting with 14f66f4 is affected. The problem is confined to the CIFS component; other kernel subsystems are not impacted.

Risk and Exploitability

The CVSS score of 7.8 reflects high severity, while the EPSS score of < 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an adversary sending crafted SMB traffic that forces a replay, inferred from how the bug manifests in the CIFS driver.

Generated by OpenCVE AI on May 6, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that incorporates commit 14f66f4 or later, which adds required initializations.
  • Reboot the system or reload the CIFS module to load the updated code and ensure the replay paths are correctly initialized.
  • If patching cannot be performed immediately, temporarily disable CIFS or restrict SMB traffic by blacklisting the CIFS module or blocking SMB ports (139/445) from untrusted networks.

Generated by OpenCVE AI on May 6, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:6.8:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc7:*:*:*:*:*:*

Wed, 06 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Thu, 30 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: cifs: some missing initializations on replay In several places in the code, we have a label to signify the start of the code where a request can be replayed if necessary. However, some of these places were missing the necessary reinitializations of certain local variables before replay. This change makes sure that these variables get initialized after the label.
Title cifs: some missing initializations on replay
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:05:43.454Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31693

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T12:16:24.103

Modified: 2026-05-07T12:49:05.780

Link: CVE-2026-31693

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-30T00:00:00Z

Links: CVE-2026-31693 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T21:15:13Z

Weaknesses